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Abstract 

An oracle chooses a function / from the set of n bits strings to itself, which is either a 
randomly chosen permutation or a randomly chosen function. When queried by an n-bit string 
w, the oracle computes f{w), truncates the m last bits, and returns only the first n — m bits 
of f{w). How many queries does a querying adversary need to submit in order to distinguish 
the truncated permutation from a random function? 

In 1998, Hall et al. (5] showed an algorithm for determining (with high probability) whether 
or not / is a permutation, using 0(2 2 ) queries. They also showed that if m < n/7, a 
smaller number of queries will not suffice. For m > n/7, their method gives a weaker bound. 
In this manuscript, we show how a modification of the method used by Hall et al. can solve 
the porblem completely. It extends the result to essentially every m, showing that fl(2 2 ) 
queries are needed to get a non-negligible distinguishing advantage. We recently became aware 
that a better bound for the distinguishing advantage, for every m < n, follows from a result of 
Stam [3] published, in a different context, already in 1978. 

Keywords: Pseudo random permutations, pseudo random functions, advantage. 


1 Introduction 

Distinguishing a randomly chosen permutation from a random function is a combinatorial problem 
which is fundamental in cryptology. A few examples where this problem plays an important role 
are the security analysis of block ciphers, hash and MAC schemes. 

One formulation of this problem is the following. An oracle chooses a function / : {0,1}" —?> 
{0,1}", which is either a randomly (uniformly) chosen permutation of {0,1}", or a randomly 
(uniformly) chosen function from {0,1}" to {0,1}". An adversary selects a “querying and guessing” 
algorithm. He first uses it to submit q (adaptive) queries to the oracle, and the oracle responds 
with f{w) to the query w G {0,1}". After collecting the q responses, the adversary uses his 
algorithm to guess whether or not / is a permutation. The quality of such an algorithm (in the 
cryptographic context) is the ability to distinguish between the two cases (rather than successfully 
guessing which one it is). It is measured by the difference between the probability that the algorithm 
outputs a certain answer, given that the oracle chose a permutation, and the probability that the 
algorithm outputs the same answer, given that the oracle chose a function. This difference is called 
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the ’’advantage” of the algorithm. We are interested in estimating Adv, which is the maximal 
advantage of the adversary, over all possible algorithms, as a function of a budget of q queries. 


The well known answer to this problem is based on the simple “collision test” and the Birthday 
Problem: 


Adv = 1— (1 — TT-l (l — 


1 - 


9-1 


Since for every 1 < A: < q — 1 


1 - — < 1 - 


1 - 


q — k 


we get, for g < 2", that 




g{g-i) 

1 _ e-WT- < 1 _ 1 _ 


q \ 9-1 


V 2"+i/ 


< Adv < 1 — (1 — 




(1) 

— 2"+i ^ 


This result implies that the number of queries required to distinguish a random permutation from 
a random function, with success probability significantly larger than, say, 1/2, is 0(2"’/^). 

We now consider the following generalization of this problem: 


Problem: Let 0 < m < n be integers. An oracle chooses c G {0,1}. If c = 1, it picks a permutation 
p of {0,1}" uniformly at random, and if c = 0, it picks a function / : {0,1}" —>■ {0,1}" uniformly at 
random. An adversary is allowed to submit queries w G {0,1}" to the oracle. The oracle computes 
a = p{w) (if c = 1) or a = f{w) (if c = 0), truncates (with no loss of generality) the last m bits from 
a, and replies with the remaining (n — m) bits. The adversary has a budget of q (adaptive) queries, 
and after exhausting this budget, is expected to guess c. How many queries does the adversary need 
in order to gain non-negligible advantage? 

Specifically, we seek qij 2 = min {5 | Adv > 1/2} as a function of m and n. 


This problem was studied by Hall et al. [2] in 1998. The authors showed (for every m) an 
algorithm that gives a non-negligible distinguishing advantage using q = C)(2("’+"‘)/^) queries. They 
also proved the following upper bound: 


Adv < 5 




( 2 ) 


For m < n/7, (HI) implies that qi /2 = H(2^^). However, for larger values of m, the bound on 
qi /2 that is offered by ([2]) deteriorates, and eventually becomes (already for m > n/4?) worse than 
the trivial ’’Birthday” bound qi /2 = H(2"/^), which is obviously still valid when the adversary gets 
only partial (truncated) replies from the oracle. 

Hall et al. [5] conjectured that H(2'^^^) queries are needed in order to get a non-negligible 
advantage, in the general case. Surprisingly, it turns out that this was already established 20 years 
before the conjecture was raised, in a different context. It follows from the bound 


Adv < 


1 I (2»-m _ l)g(g_ 1) 

2V (2"-l)(2"-(g-l) 


< 


2a/1- 


(3) 


valid for all 0 < to < n, which is a direct consequence of a result of Stam [31 Theorem 2.3] (see also 

[I])- 
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In this manuscript we show how the method of proof used in [2] can be modified to show the 
lower bound gi /2 = for virtually every m < n. The result follows from explicit upper 

bounds on Adv stated in the following two theorems. 

Theorem 1. If m < n/3 then 




Theorem 2. Ifn/3<m<n — A — log 2 n then 

2/3 


Adv < 3 


2^ 


+ 2 


2 ^ 


+ 5 


2 ^ 




(4) 

(5) 


The proofs of Theorem [T] and Theorem [5] are given in Section [3] and Section HI respectively. The 
proofs follow the same line, but the proof of Theorem [3] is more elaborate and technical. 


2 Notation and preliminaries 

For fixed m < n and g < 2" we denote ft := ({0,1}"“™)'^. We view 17 as the set of all possible 
sequences of replies that can be given by the oracle to the adversary’s q queries. For oj G II, let 
Prp(a;) and Pr/(a;) be the probabilities that ui is the actual sequence of replies that the oracle 
gives to the adversary’s q queries, in the case the oracle chose a random permutation or a random 
function, respectively. For every j > 2 and w G 17, let 

colj(a;) := #{1 < ii < i 2 < ■ ■ ■ < ij < q \ = ovi,, = ... = cui.}. 

Lemma 2.1. For every j > 2, 

Var,col,<PVb , ,l + 


Proof. Note that for every j >2, 

where := {{ii,i 2 , ■ ■ ■ ,ij} \ 1 < ii < 12 < ■ ■ ■ < ij < q} and is the indicator 

function of the event = Wi^ = . ■ ■ = Wi^ }. Since clearly Ff Xj = for every J, we 

immediately get that 


E/co1,=E/ Y. H 




j-i 
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Since Xj^ and Xj^ are clearly independent whenever Ji and J 2 are disjoint, 


Var/col, =Var/ E = E E ^fXj,Xj,-¥.fXj,-¥.fXj,= 


= E E 


Ji n 

|JiU J2I-1 


1 1 


ji n J2#0 


1 


J-2 


—m) 


7 / 2(t-i)("-”^) V i 

2 i=0 ^ 


j\lQ-3 
i 


1 


1 


< 




‘2/ \jj 2(t-i)("-™) 


_V 

—m) / ^ 


' ' 0-2 


2=0 


22(n—m) 




< 


2 i(n-m) \^2 J \jJ 2(J“1)("“™) 


fl + ^1 


t-2 


.□ 


The advantage of an algorithm is defined as |Prp(i?) — Prj(i?)|, where E is the event that 
the algorithm outputs (say) 1. The maximum of the advantage of an algorithm, over all possible 
algorithms, is called the adversary’s advantage, and is denoted here by Adv. Clearly, 

Adv < max |Prp(i;) - Pr/(i;)| = ^ E “ Pi'/(‘^)l - (6) 

with equality, if no computational restricitions are imposed on the adversary. We use the following 
estimate for Adv, which is slightly better than a similar bound used in [5]. 

Lemma 2.2. For every S C id, 


Adv < max 

cjGS 


Pi'p(aj) 

Pr/(w) 


+ Prf{S). 


Proof. Note that 


UJ^S LU^S 

= Prp{S) + PTf{S) = Pr/(5) - Prp{S) + 2Pr/(5) = 

== E + 2Pr/(5) < |Prp(a;) - Pr/(a;)| + 2Pr/(5). 

cuG^S cuG^S 

Therefore, using (jb]), 






UJGS 


< Y |Prp(w) - Pi7(w)l + Pi7(^) = E 


iues 


< ^PrHo^) max 
Wgs / 


Prp(w) 


Pr/(w) 


ujGS 
- 1 


ujes 

Prp(a;) 


Pr/(w) 


- 1 


+ Pr/(S') < max 

oj£S 


+ PvfiS)< 

Pipioj) 


Pr/(w; 


- 1 


+ PrfiS). □ 
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In the proofs of Theorem [T] and Theorem [2] we apply Lemma 12.21 to the set 


S=<ujGfl\y2<j<t: 


coljiuj) - 


jJ 2(J“i)("“’") 


< aj, colt+i(w) < /3 


where t > 2 is an integer and ai,a 2 , ■ ■ ■ P are positive real numbers, which are chosen 

apropriately. A particular case of this S, with t = 2, ai = cq/2 2 ^ /3 = 0, was used in [2]. In 

this work, we get a refined asymptotic approximation for Adv by using the above general choice of 
S. In the proof of Theorem [1] we also use t = 2, but different ai (which we simply denote a) and 
different /3. 


3 Proof of Theorem [T] 


The flow of the proof is as follows. As mentioned in Section [2 we let 


s = < uj G n: 


col2(u;) - 


2 / 2’^ 


< a , col 3 (a;) < p \ , 


where a, /? are positive constants to be specifired later. In Subection l3.1l we prove our main technical 
result, ProDOsition l3.ll which provides an upper bound for |Prp/Pr/ — 1| in S. In Subsection l3.2l we 
first derive, in Lemma 13.51 an upper bound for Pry (S'). Then we combine Lemma l2.21 Proposition 
13.11 Lemma 13.51 and choose optimal parameters a,/3 to obtain Theorem [T] 


3.1 Bounding |Prp/Pr/ — 1| in S' 

In this subsection, we prove the following proposition. 
Proposition 3.1. Suppose that q < 2”“^, 

SP 2 _^ < 1 

2m + 3 ■ 22" - 2’ 


A 1 


2 2" 


P>2 


+ a < 


)m —1 


1 

3 ) ' 


Then for every lu € S, 


Prp(a;) 


- 1 


< 2 — + 2 
- 2"* 


1 


4^ 

2 J ' 2 ^^ 


pp(^) 

In the proof of Proposition 13.11 we use the following three lemmas. 
Lemma 3.2. For every a; < 1, 


for every 0 < a: < 1/2, 
and for every 1 < a; < 2, 


X <— ln(l — a:), 

— ln(l — a:) — a: < 2a;^, 
a; — 1 < 2 In a;. 


(7) 

( 8 ) 

(9) 


( 10 ) 

( 11 ) 

( 12 ) 
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Proof. By Taylor expansion, for every a; < 1, 


— ln(l — a;) = x + 


for some f between 0 and x, and (fTOll . (fTTll follow. To deduce (IT^ . note that if 1 < a; < 2, then by 

cni), 


X — 1 

X - 1 < 2-< -21n ( 1 - 

X 


X — 1 

X 

■)k — l 


= 2 In a;. 


□ 


Lemma 3.3. Let s,k be positive integers such that s < 2^ Then 

S ^ /\l /\l 

s \ 1 /s\ 1 


2=0 




1 


Proof. For every integer 0 < z < 2^ by ra and (ED 


0<-ln(l- ——<2(^1 =4(J —+ 2—. 


2k y 2>^ 


i\ 1 


2/22fe 22fc' 


(13) 


The Lemma follows by summing up the inequalities ED for 0 < I < s — 1, and using the identities 


e:;„>=0.esg) = (3)- 

Lemma 3.4. Suppose that q < 2"“^ and let ui G ft such that col 2 (a;) < (^ 2 ) ■ Then, 


□ 


0 < — In 


Prp(t^) 

Pr/(a;) 


q-l 


i=0 


->“n i-i - 


i \ col2(w) col3(a;) col2(a;) 


< 4 


'ym — 2 ^^ 


22ri 


Proof. Suppose that in the q-tuple uj, exactly i distinct vectors in {0,1}" appear, with multi¬ 
plicities di,d 2 ,... ,d£, respectively. It is easy to verify that 


Prp(w) = 


nLi (nto'(2--*)) 
ro=o(2"-o 


and clearly Pr/(a;) = (1/2” Therefore, using that J2k=i ^k = q, 

i /dk-i 


hence 


In 


Prp(a;) 

Pr/(w) ^ 

Pi'p(cu) 

Pr/(a;) 




ninii 

k=l \i=0 ^ 

q-l , . s i dk-1 


(14) 


For every \ < k < t, note that dk < 2'^ since ( 2 ^) “ col 2 (a;) < (^ 2 )’ bence by Lemma 


dk-i 


2 = 0 


dh\ 1 ^ , f dk\ 1 


0<-lnTT 1-- —<4 ^] — + 2{ 

— 11 \ 9rn I \ 2 I 2™ “ \ H I 92 m \ 9 / 92 m 


3 y 22” 


dk\ 1 


2 / 22” 


Summing up on 1 < fc < £, we get that 

e dk-i ^ , X ^ 


0 S - En (1 - ii E (t) s i E (“1) + ir E 


dk 


22n 

k—1 i—0 ^ k—1 ^ k—1 

(dk\ _ (dk\ 


22 ” 


dk\ 

2 r 


and the lemma follows by (fMl) since J2k=i ^ 2 ) ~ col 2 (w) and J2k=i d*’) = col 3 (a;). 


□ 
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We are now ready to prove ProDOsition l3.ll 


Proof of Provosition \3.1\ For every a; G S', by ([5]) and the definition of S, 


col2(w) < 



+ a < 



hence, by Lemma 13.41 


0 < - In " ^ 


Prp(a;) 


9-1 


Pr/(w) 


i=0 


-■■nb-i - 


col2(w) col3(w) col2(a;) 


< 4 


22r, 


+ 2 - 


22r. 


In addition, by Lemma [3.31 ffor s = q and k = n), since 9 < 2” 


Therefore, 


9-1 


i=0 


0<-lnTT l-_ -_ 

- 11 i on On 


2" \2j - 13/ 22" ^ \2 22"' 


ln^-±fcol2M-^" 


In 


Pr/(w) 2- 
Prp(a;) ^ 1 


1 


+ TFF col2(a;) - 


2 / 2 "-’" ! ~ 
q\ 1 


^ ^ col3(ai) ^ oC0l2(a;) 


22ri 


22ri 


Pi/M 2 

By (Uni), (USD and the definition of S, 


2 / 2 " 




Pr/(a;) “ Pr/(a;) “ 2"* V ^ ^ \^2y 2"-™ 


2 col^ 40013 ( 0 ;) 


22 " 


22m - 

q\ 1 


(15) 

(16) 


- 2"! 22"* V V2y 2"-"* 22 ™ ~ \ '*"2"*7 2"*”*" \2j 2"+”* ' "22 

a f q\ 1 /3 

< 2-1- 2 1 -h 4-^. 

“ 2"* V2/2"+"* 22”* 


+ 4:^ < 
(17) 


By (ITHl) and the definition of S, 
Prp(a;) 


In 1 ^ ^ _ 

— / N — rtrn. \ ■* \ / 


Pr/(w) 


j_U4n^+2n^< 

2 /2"-"*/ V3/22" I 2 / 22 "- 


<^+4^'^^ —+ 2^®^ — 
“2"* 13/22" \2/22"' 


1 


1 


In particular, using dZD, 

- “p (2^ + 4 ( 1 ) ^ + 2 (^2! 2 ^; j < “p V 2 

hence, if Prp(a;)/Pr/(a;) > 1 then by (fT^ . (fT^ and (HD, 


a ^ 2 q^ 
~ 3 ' ^ 


< 2 , 


(18) 


Prp(w) 


Pr/(w) 


P*“; - 1 < 2 ( +41" 1:^ +2 


2"* ' ‘ V3/ 22" 

= 2^ + ^(P)-^ 

2711 2'^”'^ V 2 / 2^"^^ 


9 ) 2 . 

2/ 22" 


+ 4-2 


1 1 a 

_._ < 2 _ h 21 ^ I _ 

0 y 22(7*'—7^) 2 ^^ — 2 ^^ \ 2 / 2 ’^"*”’^ ' ^ 2 ^ 


The proposition now follows from (HZD and dUD- 


+ 47£r- (19) 

□ 
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3.2 Derivation of Theorem [T] 

We start by bounding Pr/(5) from above. 

Lemma 3.5. 




1 1 


1 1 1 
- < - 


2 / 2 ™-™ y^j22in-m) ^ - 2 \2^ 

Proof. By Chebyshev inequality, 

1 


6 • 2 — 


Prj I a; G n : 
and by Markov inequality, 


col2(a;) - 


2 2^- 


> aU < 


Var f C 0 I 2 


Pr/ ({w G n : col 3 (w) > /?}) < 


E f C 0 I 3 




Using the union bound, we conclude that 


P^f{S) < 


Varjcol2 Ejcoh 


+ 


and the claim follows by Lemma [2.II 

We now combine Lemma [2.21 Lemma [3.51 and Proposition 13.11 
Lemma 3.6. Suppose that q < 2”“^, 


a 


1 


3 ^n —,3m l ^n + m 
2^— \2^- 


< 


( ^ ) 

r+ <1 



1 22™ - 2 

iv2 2™ J 


P>2 


1 


3/ 22 ("-™) ’ 


Then 

Adv < 


2 ^ 


L a 1 

+ ( V+2 V2^ 


a 


+ 4^ + 


1 


‘ 22 ™ ' 0 . 2 ^^ 

Proof. All the conditions of Proposition 13.11 are clearly satisfied. Therefore, 


2 ^ 


max 

OJGS 


Prp(w) 


Pr/(u;) 


- 1 


< 2 —+ 2 
- 2 ™ 


q\ 1 . P ^ a 

^ ] _L 4—— < 2_h 

2 / 2 ^^ — 2 ^ 


2 ^ 


2 


and the claim follows by Lemma 12.21 and Lemma 13.51 

Theorem [T] now follows by taking a, ft to minimize the right hand side of (1^01) . 






























Proof of Theorem[Ji 11 q> j2 2 then ([3]) holds since surely Adv < 1 and 


'1 \ 2/3 

l = 2«/2(ij < 




2/3 


3/2 


+ 


If m < 5 and q < , then (H)) also holds, since by the ’’Birthday” bound ([T|), which is obviously 

still valid when the adversary gets only truncated replies from the oracle, 


Adv < 


2n+l 


= 2 


m —5 


4g 

2^ 


< 


4g 

2 ^ 


< 2 ^ 


2/3 / „ \ 2/3 

2^2 / q 


q 


2^ J V2^ 


3/2 


n+m 

2 2 


Finally, if 6 < to < ^ and q < j2 2 , then it is straightforward to verify that all the conditions of 
Lemma ESI are satisfied if we choose 


a := 


2m / 

V2- 


q 


2/3 


Then, by Lemma 13.61 
2 

Adv < I „, „ 

2 ^ 


' a 1 

2 - 1 - - 1 

2^, O \ rvIL+ 


2 V2 


q 


2 ^ 


2 ^ 


2/3 


2 ^ 


2/3 


/?:= 

2 " 
a 

2y/2 


2y/Q-2- 


2^n 


3j2 


22 ri 


^ ^ n —3m 

6-2 2 


2 ^ 


3 22m 


V3 • 2- 


2 ^ 


3/2 


< 


<2^(—^f g 

-\2^) ^ Vi\2^ 

4 Proof of Theorem [2] 


3/2 


+ 


2 ^ 


.□ 


The proof of Theorem is more elaborate and technical than the proof of Theorem [1] but goes 
along a similar path. It uses statements that are analogous to those used in the proof of Theorem 
[TJ As mentioned in Section EJ we let 


5'=<a;Gf2|V2<j<t: 


colj (w) - 


1 


< Uj, colt+i(w) < /3 


where t > 2 is an integer and oi, 02 ,..., at-i, (d are positive real numbers to be specifired later. 


4.1 Bounding |Prp/Prj — 1| in S' 

The following proposition is analogous to Proposition 13. II 
Proposition 4.1. Suppose that m < n — 2, q < 2'^~^, 2 < t < 2 ('"“ 3)/2 _|_ 


1 /2’"-i 

■-f cti < I 

2 J 2 "-™ \ 2 


Sir) 

/3 > 2 


1 /2(g + t-l)V+\ ^ (j-1)! /I 


2t(t + 1)2 

q \ 1 


J: _ -r I. - x; \ 

[ 2 ^ J ^ 


i=i 


2^^ 


«/ < o> 


t + 1 / 2 d"-™) ■ 


( 21 ) 

( 22 ) 

(23) 
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Then for every to € S, 


Prp(w) 


Pr/(w) 


- 1 


<4 1 + 


2 ( 1 - 1 ) 2q 


)m On 


, 2 ^ 




(j-1)!^ \ , 2‘(1-1)! 


\i=2 




In the proof of the proposition we use several lemmas. 
Lemma 4.2. For every integers * > 0, j > 1, 

i-i 


0 ^-- 


J'- \J 


^Ur-l 


r—1 


r} 


Proof. Note that 


hence 


(j - 1)) < < (i + j - 1)... (i + l)f, 


^ -T ^ 

.Jj J- 


i + j -I 




and the claim follows. 


2tn 


P- 


□ 


With this we prove the following lemma. 

Lemma 4.3. Let i, k, t be integers such that k > 1, 0 < i < 2^“^, t >2. Then, 


0 <-ln 1 -^ 


t-i 


U - i)Y* 


2 * / 21 '= \j 


< 


j=l r=l ^ 


2*(1- 1)! ^ ft-I 
2*k Ir — ly \rj 

r=l ^ 


• (24) 


Proof. By Taylor expansion, for every a; > 0 


- ln(l - a;) = I] 7 


i=i 


J t{i - iY 


for some 0 < ^ < a;. It follows that for every 0 < a; < 4, 


t 1 2 * 

0 < — ln(l — x) — ^ — < —a:*. 

1=1 ^ * 


In particular, 




1=1 


(25) 
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and by Lemma 14.21 




(j - 1 )! / 


^ 2ik \ j\ 

7=1 


^E^leioc)' 


hence 


0 < - In 1 - 


2 fc 


^ (j-1)! ^ A-r 
Vj7 “ ^^\r-l)\rj 


^ / 7. 
T 


and the lemma follows since by Lemma S^l 

t 


‘^ (1 

t V 2 '= 


2 ‘(t-l)! 7 2 ‘(t- 1 )! 7^/t -1 


2tk 


t\ 


< 


2tk 


T. Z 


r—1 


r — 1 / \r 


This leads to the following lemma, which is a generalization of Lemma 13.31 
Lemma 4.4. Let s, k, t be positive integers such that s < 2^“^, 2 < t < 2 ^A _|_ 2 . Then, 

s-l 


0 < — In 


i=0 


^ 2^^= \j + lj - \2j 22fe 2*^= ^ Vj - ly Vj + 1 




1 = 
^s-l 


□ 


2k J ^ 2^^= A +1/ “ \2j 22^= 2*^= 

Proof. By summing up (l24l) for 0 < i < s — 1 and using the identity J2iZo (]) = (j+i) 




2=0 


V^(j-l)!^ A'-l 

- E 2i’= ^\r-lj\r+l 

j—1 r—1 ^ \ ' 


2*(f- 1)! 


2tk 


r—1 


r — 1 7 Vr + 1 


For every r, j such that 2 < r + 1 < j < t — 1, 


J'- 


J 


20+i)fc — 1 

hence, for every 1 < r < f — 2 


(7 - 1)! yj - _ j 

23k U _ 1 


2 fe j - {r- 1 ) 


<EE!<i 

- 2 fe . 2 - 2 ’ 


t-1 

E 

j=r+l 


(7 - 1 )! ^7 - 1 

2jk 


r\ ■ r 

< 2 __ 

r- 17 2 ’-'= ■ 


Therefore, 


.7^ 9.?fc I r — 


23 k 

j=l r=l 


r — 17 V’’ + 1 


< 


t-2 

E2 


n| 


r=l 

and the lemma follows. 


2(7-+i)fc A + 1 



< 


r—1 


< 


s\J_ 

2 7 22fc’ 


□ 
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This leads to the following lemma, which is a generalization of Lemma 13.41 
Lemma 4.5. If q < 2"“^, 2 < < < 2™/^ + 2, then for every w G 12 for which col 2 (a;) < 2 )' 

9-1 / ■ \ t-i 


0 < — In 


Prp(a;) 

Pr/(w) 




-i-n -E 


(J-I)! 


f=i 


2^^ 


colj+i(a;) < 


< gSEM + ^ col,+ 1 ( 0 ;). 

. 7=1 ^ 


22r, 


2tn 


Proof. Suppose that in the q-tuple w exactly t distinct vectors in {0,1}" appear, with multi¬ 
plicities di,d 2 , ■ ■ ■ ,di respectively. For every 1 < k < I, note that dk < 2"^“^, since Ylk=i (” 2 “) = 
col 2 (w) < (^ 2 )> hence by Lemma ITU 


0 < — In 


^ TT ^_ ~ ^ <8 

111 2 ™ / ^ 2f ™ \7' + l/ V2 / 22"* 

i=o ^ ^ j=l / \ / 

Summing up on 1 < fc < 1, we get 

I dk 1 / • \ t 1 / . -1 \ I ^ / j 


+ 


2 *(t — 1 )! ~ r 

^VJ-V Vj + 1 


fc —1 i —0 


i=i 


fe=i 


< 


< 


' 'dk\ 2*(t-1)! A/t-fo ' 


227^ 


■E 

fc=i 


+ 


2 **^ 




2-^ V 7 ~ 17 V 7 + 1 

7 = 1 W Z \J 


and the claim follows by (1141) . 


□ 


Finally, we also need the following technical lemma. 
Lemma 4.6. For every integers n,m,q and t 

1 


2*(t- 1)! 


2*71 


\ i - ij \ j + ij 2f("-”*) 

7 = 1 W / \j / 


< 4 


n + m 

2 2 


2 (t-l) ^ 2q 

2^m 2^n 


t-2 


Proof. Note that 

t-i 


it-iy.Y, 


t — 1\ f q 


^ \j - 17 \j + 17 2 h"-"*) 


t-i 




i=i 


t - 2\ gJ+i 1 


j - 17 (j + 1 )! 2 -J("-”*) 


t-i 


t-2\{t- l){t- 1 )! 


2n-mZ^^yj_lj (j-hl)! 


— On—m / ^ \ /j’ _ 


V 277-777 y 


i -1 


< 


i=i 


.7 - 1 


( 1 

1 '”'- ( 

V 271-777 y 





hence 


2‘(t- 1)! tiA ft-1 


2 ‘ 


- l) + l) 2 l("“”*) “ 2 *"* 2 

=1 / \j / 


—v< -^— 7-1) + — 

—m.) — orm, nn.—m, \ ' on — 


= 4 


/ g y/ 2 (t-l) 

2g\ 

^^7 V 2"* 

+ 2"j 
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Proof of Proposition \4-t\ For every w G S', by (|2T]) , 

col2(a;) < + ai < 

hence by Lemma 14.51 and Lemma 14.41 


2 / 2 ’^ 


)m —1 


, Prp(a;) „col2(w) 2*(< — 1)! — 1\ 

-In : <8 —^ + —^coL+i(a; + 

Pr/(a;) “ 2^^^ 2*™ 




In 


Prp(a;) ^fq\ I , 2*{t - 1)1 ^ ft - 1 

Pi7(^) ^ 


2 / 22 '’ 


2 ‘” § 0 -VVj + i 


t -1 

-E 

i=i 


2jm 


colj+i(a;) - ( . 


j + lj 


(27) 


By (ITUl) . (E51) and the definition of S, 


1 - 


Prp(a;) ^ Prp(a;) 


Pr/(w) 


< 


- 22 m 


Pr/(w) 

1 


2 / 2 '’ 


+ Oil I + 


+ 


2*(t- 1)! 

2 tm 


t-1 


^ VJ-iy VVj + iy'2^( 


i -1 


+E 


i=i 


2jm 


q\ 1 2 *(t- 1 )! ^/t -1 


2 I 2 ^"^^ 2 ^^ 


Ec: 


j - 1/ Vj + 1/ 2J(''-'" 


+ 8S+IE 

0=1 


<4 


n + m 
2 “ 2 — 


+ 4 


21 ' 

q 


+ 


n + m 
2 ^“ 



2^(t-l)! 


< 


+ 




(j-l)! ) , 2\t-l)\^ 

Oil \ H--P, 


21 ' 


2 *” 


(28) 


where on the last step we used Lemma 14.61 and the fact that for every 1 < j < t — 1, since 
{t- 1)2 < 2 '"-\ 


2‘(t-1)!/t-1\ 2‘(t-l)! (t-1)! 2*(j - 1)1 /(t-1)1 


2 *'’ 


< 


j-l/ 2*'" (j - 1)1 2*'" V (j -1)! 


< 


< 


2 *(J- 1 )! 

2tm 


(t- 1 ) 2 (‘- 1 ) = 2 ^- 


(j-1)! /(t-l)2y-^ .(j_i)! 


23r 


)m —1 


< 2 ^- 


21 '’ 


On the other hand, by (l27l) and the definition of S, 


j^PrpM^gM 1 , 2‘(t-l)! 


Pi/H 


2 / 22 ' 


2 *' 


^ Vj - ly Vj +1 


i=i 




1=1 


21 ' 


(29) 
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In particular, by (l22l) 


Pr/(a;) “ \2j 2^^ 2‘" V t+1 7 ^ 2^ 


^ (J - 1 )! . 


J — 


< 4 




1 


/2 (g + t - 1) \ ^ 

\ 2^ ) ^ 


2t(t + l)2^(‘-^S) 

hence Prp(a;)/Pr/(w) < -y/e < 2. Therefore, if Prp(a;)/Pr/(u;) > 1 then by (IT^ . (l29l) and 

t /, -, \ / \ t-i 


- 1 )! 1 
-—-ai < -, 
2jm J - 2 


Prp(cu) 

Pr/(a;) 



^ \j - V \j +1 


q 


E 

i=i 


(j-1)! 


2 i'^ 


< 






2 tn 


i=i 




2n—m—2 \ 2 


2 ‘(t- 1 )! ^ /t- 1 


2 ‘" 


E _ 17 \^j _|_ 17 


^ (j- 1 )! ^ 2 ‘(t-l)!^ 

7 2 ——Of,- + 


i=i 




2 ‘" 


and we are done by Lemma 14.61 


□ 


4.2 Derivation of Theorem [2] 

The following lemma is a generalization of Lemma 13.51 


Lemma 4.7. 


Pr,(S)<|:7t' 


1 / q \J -1 1 

(1 H- - ' 

V 2"- 


V 2 / Vi + 1/ 2J(”“™) 

i=i ^ / V / 

Proof. By Chebyshev inequality, for every 1 < 7 ^ ^ ~ 

q \ 1 


Pr/ G n : 
and by Markov inequality. 


colj+i(a;) - , 


j + lj 2 f("’“™) 


2 + 17 2*("-™)/3' 


Pr/ ({w G n : colt+i(a;) > j3}) < 
Using the union bound, we conclude that 


> < 


Ef colt+i 


Var/ colj+i 


p^fis) < I y 

U =1 


i Var/ colj+i ] E/ cob+i 


and the claim follows by Lemma [2.II 


□ 
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Combining Lemma 12.21 Lemma 14.71 and Proposition 14.11 we get the following generalization of 
Lemma l3.61 

Lemma 4.8. Suppose that m < n — 2, q < 2"“^, 2, <t < + 1 , 




+ oti < 



4 m' + _ i _ ( 


/3 > 2 



1 


i +1 


t-1 


+E 


23 m 



Then 


Adv < 4 



2 (t-l) 

2 ™ 


+E 


1=2 



(j - 1)!«1 

21 m 



Taking oi, 02 ,..., at-i, fd to minimize the right hand side of (|3nil we get the following. 
Lemma 4.9. Assume that m < n — 2, q < 2"“^, 2 < t < 2^™“^)/^ + 1, 

t+i 


1 


2 g 

Ti — m fx Ti + m \ I ... n+m 

2—3—V 2 t“ 


+ 


< 


+ 1 ) 


n + m 

2 2 


4(t-2) 


2 — 


1 + ^ V 2 — 

i -r 2 m 


+ 


< i A _ 2 . 

'^+'^ / 2 '^ — 2 \ 2 2 ^^ 




^ n + m I ^ n + m — o ’ 

2 “2~ / 2^“ o 


and 


, , n —m/. n + m \ I ^ 

2t(t + V 2 


^ 2 (g + t-l)y+\ 


2\/l + ^ ^ 


ij-i 






n + m — r) ' 
^2 


Then 


Adv <41 + 


p(t-l) 2q 

2 ™ 2 " 


t-2^ 


^ 2 ^ ; + 2 ^^l+ 2 


4 / g 


n + m 

2 2 


+ 2^^f7 ^ 


V 2 " 


^ +. ^ 


V2 


2q 

2t ' 2'^y'y 2^ ' ^tit + 1) 2^(‘-^) V2'^ 


• (31) 
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Proof. Take 


ai := 


Ck. f . — 




2/3 


23^ 


^2{l + 23){j-1)P y2U-iKn-m) 
for 2 < j < i — 1 , and 


3 + 3 


2 ^ 


i-i\ 3 


f3:= 


^t+i 


{t- 1 )! \t{t + 1 ) • 2 d"+i) 


and use Lemma l4~8l 

The proof of Theorem [2] follows by taking t = [^ 3^1 in Lemma IT^ 

Proof of Theorem\^ The inequality ([5]) clearly holds for q > ^2'^^^ since surely Adv < 1 and 


□ 


1 = 3 1 


2/3 




2|i| <3 


2 ^ 


< 3 


2/3 


2 ^ 


2 ^ 


< 


2/3 


+ 2 


2 ^ 


+ 5 


2 ^ 


1 ( 2q 


2 V2 


We therefore assume q < -12 , and let t := , Note that 5 < m < n — 8, since ^ < m < 

n — log 2 n — 4. Therefore, 

2(^- 1) ^ 2 ■ ^ + 2 ^ m + 4 ^ 

2m - 2^+1 - 64’ 


2 " 


2 ^ 

2 


2 — 2 ^ 


- 64’ 


hence 


4 1 + 


/ 2 (t-l) 2q 


t-2\ 


\ 2™ '2 
Additionaly, using also that t > 3, since m > j 


-I |<4|1+|- + - 


< 5. 


2/3 


2^fl + ±] <2 ^(i + 4 


4 \ 


2/3 




25 ) 


<3, 


2 v^ 


2 ^ 2 ^ 


V2 


Vt{t + l) 2^(*-^) “ 2 

and finally, since 2 (// 2 ^^ < 1 and 


<2^00 (^1 ('i + 1L'<2, 

<^<1 


_2q_ 

2 ^ 


< 


_2q_ 

2 ^ 


(32) 

(33) 

(34) 

(35) 

(36) 


Since it is straightforward to verify that n, m, q, t satisfy all the conditions of Lemma 14.91 we get 
(O by combining (|3I1), 1311), dSS]), ([311), (El]) and (|3ni). □ 
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5 Discussion 


We conclude with the following note. As mentioned above, the analysis in is also based on 
examining the set S, but only for the particular choice of parameters: t = 2, ai = cq/2 2 , 

13 = 0. Choosing ai to be proportional to the standard deviation of C 0 I 2 seems reasonable and 
natural (although in our analysis we employ a somewhat different choice). However, choosing (3 = 0 
is artificial and too restrictive, and limiting t to be 2 is insufficient for getting the result for large 
m. 
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